I looked and cannot see anywhere that he old role is stored - it is just overwritten with the new role in the database
There is no System Administration auditing except for minor things such as who last published a container or modified a rule or report.
System Admin audit is requested as part of this feature: Administrator Audit Logs
It's something I could theoretically custom develop.. I had built a proof of concept about 4 years ago.